[j-nsp] PPTP VPN through NAT on M10i

Alex Arseniev alex.arseniev at gmail.com
Tue Jan 17 02:33:29 EST 2012


PPTP ALG is supported from JUNOS 11.2R1
GRE is not supported with "nat source dynamic"
HTH
Rgds
Alex

----- Original Message ----- 
From: "Jo Rhett" <jrhett at netconsonance.com>
To: <juniper-nsp at puck.nether.net>
Sent: Tuesday, January 17, 2012 3:19 AM
Subject: [j-nsp] PPTP VPN through NAT on M10i


I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP 
interface, works fine for TCP and UDP.  Doesn't work for PPTP or IPSEC. Way 
back in my mind I remember something about having to create a second nat 
rule without port mapping, but its not working. I'm pretty sure I'm 
forgetting something here.  Can someone spare a 2x4 and clue me over the 
head?

---yes, I know that the filters in the configuration below aren't active.

Here's the configuration now:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/1/0 {
        unit 0 {
            family inet {
                service {
                    input {
                        service-set NAT;
                    }
                    output {
                        service-set NAT;
                    }
                }
                address 192.168.2.1/24;
            }
        }
    }
    sp-0/3/0 {
        unit 0 {
            family inet;
        }
    }

….

firewall {
    filter UNTRUST-IN {
        term ICMP {
            from {
                destination-address {
                    192.168.2.1/4;
                }
                protocol icmp;
            }
            then accept;
        }
        term EVERYTHING-ELSE {
            then {
                discard;
            }
        }
    }
    filter TRUST-OUT {
        term IPOUT {
            from {
                source-address {
                    192.168.1.0/24;
                }
                destination-address {
                    0.0.0.0/0;
                }
            }
            then accept;
        }
    }
}
services {
   service-set NAT {
        nat-rules Outbound;
        interface-service {
            service-interface sp-0/3/0.0;
        }
    }
    nat {
        pool NATPOOL {
            address 192.168.2.3/32
            port {
                automatic;
            }
        }
        pool GRE-NATPOOL {
            address 192.168.2.3/32
        }
        rule Outbound {
            match-direction output;
            term PPTP_VPNs {
                from {
                    source-address {
                        192.168.1.0/24;
                    }
                    applications GRE-PPTP;
                }
                then {
                    translated {
                        source-pool GRE-NATPOOL;
                        translation-type {
                            source dynamic;
                        }
                    }
                }
            }
            term Else {
                from {
                    source-address {
                        192.168.1.0/24;
                    }
                }
                then {
                    translated {
                        source-pool NATPOOL;
                        translation-type {
                            source dynamic;
                        }
                    }
                }
            }
        }
    }
    adaptive-services-pics {
        traceoptions {
            flag all;
        }
    }
}
applications {
    application GRE-PPTP {
        protocol gre;
    }
}

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and 
other randomness

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list